Re: Setting up clients for ssl only?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Steven Jones wrote:

8><----
Uh.....this means not a thing....where and how is it set? 
On the server? Client? Ie What and where is dse.ldif?
Sorry, I assumed a level of familiarity with the product that I should not have.
The file /opt/fedora-ds/slapd-instance/config/dse.ldif is the main server configuration file. This file is in LDIF format. The configuration is broken up into LDIF/LDAP entries. Each entry begins with a line like this: 
dn: <entry DN>
Where <entry DN> is the distinguished name (DN) of the configuration entry. Each entry ends with a blank line (e.g. in perl this matches /^$/). The main configuration entry is cn=config - it begins in the file dse.ldif with the line 
dn: cn=config
In this entry is an attribute named nsslapd-port which by default has a value of 389 e.g. 
nsslapd-port: 389
Some default values are not written to dse.ldif. This one might not be, not sure.
If you set this value to 0, the server will not listen for non-secure connections. In order to change this value, you must first shutdown the server. Then, using a text editor, edit the file, and change 389 to 0. If the attribute is not present in the entry, add it as the last line in the entry - make sure there are no empty lines before this one, and make sure there is a single empty line after it, before the start of the next entry.
Finally, I'll note that in one of your previous configurations that you posted, you have set it to use start_tls. If you want to use LDAP startTLS, _you must use the non-secure LDAP port_. Which means you cannot set it to 0. Fedora DS currently has no way to force all connections to first use the startTLS command. So if you use startTLS, there is no way to force all connections to use TLS/SSL. 
Steven Jones wrote:
Is there a way to force clients to only connect via ssl?

You can set the nsslapd-port attribute in cn=config in dse.ldif to 0.

8><----

regards
Steven 
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux